php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63636 Use array() in class result in php crashe (in Rshutdown of apc with php5.4.x)
Submitted: 2012-11-28 13:26 UTC Modified: 2013-05-12 12:58 UTC
From: cfc4n at cnxct dot com Assigned: ab (profile)
Status: Closed Package: APC (PECL)
PHP Version: 5.4.9 OS: ubuntu 12.04 && centos 6.2
Private report: No CVE-ID: None
 [2012-11-28 13:26 UTC] cfc4n at cnxct dot com
Description:
------------
php5.4.8
dump server:ubuntu 12.04 64bit (gcc 4.6.3)
load server:centos 6.2  64bit (gcc 4.6.3)
Use dump.php to dump a.php to a bin file with apc_bin_dumpfile function on dump 
server(ubuntu 12.04). and copy this bin file to an other server(centos 6.2),use 
load.php to load this bin file . and It'll result to a core dump. But it is works 
in dump server ....

And remove static array() syntax ,It'll work to in php5.4.x .

So,I think there is a wrong about cross compiler maybe. but I can't find that.  :(
-----------------------------------
PS:In php5.3.x ,It's works.


Test script:
---------------
compile pram:
./configure  --prefix=/usr/local/service/php --with-config-file-path=/usr/local/service/php/etc --with-pdo-mysql=mysqlnd --with-mysql=mysqlnd --with-mysqli=mysqlnd --enable-bcmath --with-mcrypt --enable-fpm

a.php:
<?php
class T{
    //private static $_instance; // It's works.

    private static $_instance = array(); //It's crashed
    public function __construct() {
        if ( self::$_instance[$c] ) {
            throw new Exception('Single Forbidden');
        }
    }
    public static function getInstance($a = array()){
        $c = get_called_class();
        if (self::$_instance[$c] == null ) {
            self::$_instance[$c] = new $c();
        }
        return self::$_instance[$c];
    }

    public function hello() {
                echo "hello world!";
        }
}

class B{
    private static $_instance = array();
    public function hello() {
        echo "hello world BB!";
        }
}
?>

dump.php:
<?php
$dir = dirname(__FILE__);
apc_compile_file($dir.'/T.php');
apc_bin_dumpfile(array($dir.'/T.php'), array(), 'apc.bin');
?>


load.php:
<?php
error_reporting(E_ALL ^ E_NOTICE);
$dir = dirname(__FILE__);
apc_bin_loadfile('apc.bin');

var_dump( apc_cache_info());
include($dir.'/T.php');
$t = new T(); 
$t->getInstance();
$t->hello();
?>

Expected result:
----------------
fixed it, as result  like php5.3.x (ZEND_ENGINE_2_3)

Actual result:
--------------
#0  0x000000000092dac0 in zend_inline_hash_func (arKey=0xffffffff <Address 
0xffffffff out of bounds>, nKeyLength=1) at /home/cfc4n/php-
5.4.8/Zend/zend_hash.h:283
#1  0x000000000092dcfe in _zend_hash_add_or_update (ht=0x11fec60, 
arKey=0xffffffff <Address 0xffffffff out of bounds>, nKeyLength=1, 
pData=0x7fffffffcdb0, nDataSize=32, pDest=0x0, flag=2)
    at /home/cfc4n/php-5.4.8/Zend/zend_hash.c:215
#2  0x00000000009078aa in zend_register_auto_global (name=0x7fffffffcde0 "", 
name_len=0, jit=160 \240, auto_global_callback=0x1290780) at /home/cfc4n/php-
5.4.8/Zend/zend_compile.c:6667
#3  0x000000000091c63b in _zval_dtor_func (zvalue=0x7ffff7fcce40) at 
/home/cfc4n/php-5.4.8/Zend/zend_variables.c:43
#4  0x000000000090b4b9 in _zval_dtor (zval_ptr=0x7ffff7fd0b28) at 
/home/cfc4n/php-5.4.8/Zend/zend_variables.h:35
#5  _zval_ptr_dtor (zval_ptr=0x7ffff7fd0b28) at /home/cfc4n/php-
5.4.8/Zend/zend_execute_API.c:438
#6  0x00007fffeb8335db in apc_free_class_entry_after_execution 
(src=0x7ffff7fd0bf0) at /home/cfc4n/APC-3.1.13/apc_compile.c:1992
#7  0x00007fffeb836bb4 in apc_deactivate () at /home/cfc4n/APC-
3.1.13/apc_main.c:948
#8  0x00007fffeb836ccf in apc_request_shutdown () at /home/cfc4n/APC-
3.1.13/apc_main.c:1042
#9  0x00007fffeb826ce4 in zm_deactivate_apc (type=1, module_number=46) at 
/home/cfc4n/APC-3.1.13/php_apc.c:407
#10 0x00000000009280ba in zend_deactivate_modules () at /home/cfc4n/php-
5.4.8/Zend/zend_API.c:2335
#11 0x000000000089bf74 in php_request_shutdown (dummy=0x0) at /home/cfc4n/php-
5.4.8/main/main.c:1759
#12 0x0000000000a5437b in do_cli (argc=2, argv=0x7fffffffe678) at 
/home/cfc4n/php-5.4.8/sapi/cli/php_cli.c:1171
#13 0x0000000000a54947 in main (argc=2, argv=0x7fffffffe678) at /home/cfc4n/php-
5.4.8/sapi/cli/php_cli.c:1364

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-11-29 02:08 UTC] cfc4n at cnxct dot com
sorry, a.php just was T.php ,that is type wrong.
 [2012-11-29 02:22 UTC] cfc4n at cnxct dot com
I'm so sorry that the content of load.php was :

<?php
$dir = dirname(__FILE__);
apc_bin_loadfile('apc.bin');

var_dump( apc_cache_info());
include($dir.'/T.php');
$t = T::getInstance();
$t->hello();   // core .....

$b = new B();
$b->hello();    // not core



The wrong content was test for non static array syntax leaved. and use a common 
array syntax was the same result -- core dump.
 [2012-11-29 04:09 UTC] cfc4n at cnxct dot com
I try do something want to fixed,but failed.
and I only used one way of them:
1,do not use array in class(use php5.4.x)
2,dot not use php5.4.x
3,remove line 1992 and 2003 of apc_compile.c
4,wating for you...

Help....
 [2012-11-29 08:22 UTC] pajoye@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: ab
 [2012-11-29 08:22 UTC] pajoye@php.net
Anatoliy can you take a look pls? And maybe try to create a smaller script?
 [2012-11-29 10:00 UTC] ab@php.net
@cfc4n
Which APC version is in use? Please give the APC ini. Is PHP thread safe or not? How exactly does it crash, cli?
 [2012-11-29 10:19 UTC] cfc4n at cnxct dot com
@ab
apc 3.1.13

extension=apc.so
apc.enabled = 1
apc.enable_cli = 1
apc.cache_by_default = on
apc.shm_segments = 1
apc.shm_size = 32M
apc.num_files_hint = 600
apc.user_entries_hint = 4096
apc.write_lock = On
apc.stat = 0
apc.stat_ctime = 0
apc.ttl=0
apc.gc_ttl=0
apc.user_ttl=0
apc.serializer=php
apc.file_md5=1
 [2012-11-29 10:25 UTC] cfc4n at cnxct dot com
non zts,and sapi was cli.
default setting in php.ini,and not use any other php extsion.
 [2012-11-29 20:50 UTC] ab@php.net
I've tested the issue on Ubuntu 64bit with PHP from the dotdeb repos and CentOS with php from http://blog.famillecollet.com/ and couldn't reproduce the the crash. Tested on 32 bit Linux/Windows - as well no issue.

What CFLAGS are used in your builds? Or, which repos was you using?
 [2012-11-30 02:47 UTC] cfc4n at cnxct dot com
@ab
Thanks for your work first.
I've not use rpm php.I download a tgz file from 
download.php.net(http://cn2.php.net/get/php-5.4.8.tar.gz/from/this/mirror),and 
compile install with this parameters:
 ./configure  --prefix=/usr/local/services/php --with-config-file-
path=/usr/local/services/php/etc --with-pdo-mysql=mysqlnd --with-mysql=mysqlnd -
-with-mysqli=mysqlnd --enable-bcmath --with-mcrypt --enable-fpm  --enable-debug 
CFLAGS="-O0 -g3" LDFLAGS="-O0 -g3"

Please try again,thanks.
 [2012-11-30 12:57 UTC] ab@php.net
Now i've got some kind of bt on centos 64bit compiling php with your options, but it appears when i just enable apc 3.1.13 from pecl and run php -i. Here it is:

======= Backtrace: =========
/lib64/libc.so.6[0x3bc8475916]
php(destroy_zend_class+0x42b)[0x83f6a2]
php(zend_hash_clean+0xd4)[0x860581]
/usr/local/lib/php/extensions/debug-non-zts-20100525/apc.so(apc_interned_strings_shutdown+0x30)[0x7fbfa911e514]
/usr/local/lib/php/extensions/debug-non-zts-20100525/apc.so(apc_module_shutdown+0x1ff)[0x7fbfa91135fa]
/usr/local/lib/php/extensions/debug-non-zts-20100525/apc.so(+0xbaa7)[0x7fbfa9103aa7]
php[0x85828d]
php[0x860789]
php(zend_hash_graceful_reverse_destroy+0x43)[0x86091a]
php(zend_destroy_modules+0x2c)[0x856594]
php[0x84d915]
php(php_module_shutdown+0x2d)[0x7c19ad]
php[0x9a1870]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x3bc841ecdd]
php[0x421999]

I'm not sure that corresponds to the case, but anyway compiling and loading apc trunk produces no trace like that. Also using APC trunk i'm able to load the bin previously produced on ubuntu with the donteb binaries. Could you please try APC trunk with your constellation?
 [2012-12-04 05:51 UTC] cfc4n at cnxct dot com
@ab
They are not the same.
It happend in RSHUTDOWN at mine;But it happed in MSHUTDOWN at your.

Are you test it used apc_bin_dump/apc_bin_load function ? 
Setup 1:Run dump.php to create a binfie.
setup 2:Copy this binfile to an other server
setup 3:Run load.php ,It'll load binfile .and echo some characters.and core dump 
in rshutdown...

I only see "php -i" to test this bug in your comments.  Can you try again? 
thank you very much, ab.
 [2012-12-04 08:09 UTC] ab@php.net
Hi,

yes, of course i've tested with the scenario you gave in the description and with your scripts. Actually i was able to load the dump with 3.1.13 and with trunk. The bt i gave recalls 3.1.13 but not the trunk and is the only flashy behaviour i could see. Have you tried to use the trunk?
 [2012-12-04 08:12 UTC] pajoye@php.net
I think that whether it happens in RSHUTDOWN or MSHUTDOWN is not very relevant.

If the memory is corrupted in the cache or other areas used by APC, then the crash 
can happen in both, or somewhere else earlier if we are unlucky.
 [2012-12-04 09:33 UTC] cfc4n at cnxct dot com
@ab
Thanks for your work.
I try to use trunk(r328295) to reappear that.It was the same result with apc 
3.1.13.

I'm sorry that maybe i do not sure how to reproduce it. and I'll do more work 
for it until I find    the way to reproduce it ,or you find they way.


@pajoye
yes,That is not very relevant...

I'll test this bug in my new test server,neeew server. 

Thanks all.

PS:How about BUG #63491 ?
 [2013-05-12 12:58 UTC] ab@php.net
No feedback since long, looks like it can be closed.
 [2013-05-12 12:58 UTC] ab@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Sep 15 12:01:26 2019 UTC